Tunnelblick Saying Update Improperly Signed
99 views
Skip to first unread message
BurstVPN
Apr 9, 2012, 11:53:52 AM4/9/12
to tunnelblick-discuss
Hi,
I'm having issues having updates pushed to the client. So what I've
done is had a appcast.rss hosted on my site for the Sparkle framework
to work.
The version on the server side is signed with the same certificate as
the one I'm currently using, however it is at a higher version. It
prompts that there is an update perfectly fine, but approaching the
end of the download, it seems to give an error, saying that it's
improperly signed.
How can I fix this issue?
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-
namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<title>BurstVPN</title>
<link>http://updates.burstvpn.com/appcast.rss</link>
<description>Most recent changes with links to updates.</
description>
<item>
<title>BurstVPN Client (Added Japan, Tokyo.)</title>
<sparkle:releaseNotesLink>
http://www.updates.burstvpn.com/v10200.html
</sparkle:releaseNotesLink>
<pubDate>Tue, 27 March 2012 8:00:00 +0800</pubDate>
<enclosure url="http://updates.burstvpn.com/BurstVPN.dmg"
sparkle:version="10200"
sparkle:dsaSignature=""
length=""
type="application/octet-stream" />
</item>
</channel>
</rss>
I'm having issues having updates pushed to the client. So what I've
done is had a appcast.rss hosted on my site for the Sparkle framework
to work.
The version on the server side is signed with the same certificate as
the one I'm currently using, however it is at a higher version. It
prompts that there is an update perfectly fine, but approaching the
end of the download, it seems to give an error, saying that it's
improperly signed.
How can I fix this issue?
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-
namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<title>BurstVPN</title>
<link>http://updates.burstvpn.com/appcast.rss</link>
<description>Most recent changes with links to updates.</
description>
<item>
<title>BurstVPN Client (Added Japan, Tokyo.)</title>
<sparkle:releaseNotesLink>
http://www.updates.burstvpn.com/v10200.html
</sparkle:releaseNotesLink>
<pubDate>Tue, 27 March 2012 8:00:00 +0800</pubDate>
<enclosure url="http://updates.burstvpn.com/BurstVPN.dmg"
sparkle:version="10200"
sparkle:dsaSignature=""
length=""
type="application/octet-stream" />
</item>
</channel>
</rss>
jkbull...gmail.com
Apr 9, 2012, 12:29:00 PM4/9/12
to tunnelbli...@googlegroups.com
Some comments, in no particular order:
Make sure you're not confusing the update signature with the digital signature on the app. See Digital Signatures for details.
Your actual .rss must contain a valid length field and signature:
The length should be the output ofstat -f %z path-to-the-.zip-fileThe signature should be the output ofsign_update.rb path-to-the-.zip-file path-to-dsa-priv.pem
A standard copy of Tunnelblick contains the Tunnelblick Project's dsa_pub.pem, and it will only accept updates that are signed by the Tunnelblick Project private key. (That's the whole point of the digital signatures). So you have to distribute a copy of Tunnelblick that not only has a Deploy folder, but has your dsa_pub.pem. That can be updated only with an update signed by your private key.
An alternative is to skip the DSA signatures, and update from an https: site. Then the signature is unnecessary.
BurstVPN
Apr 12, 2012, 6:16:00 AM4/12/12
to tunnelbli...@googlegroups.com
How can I create a public and private DSA on mac?
jkbull...gmail.com
Apr 12, 2012, 7:04:45 AM4/12/12
to tunnelbli...@googlegroups.com
The documentation for Sparkle is at https://github.com/andymatuschak/Sparkle/wiki
Section 3 describes how to create and use signing keys.
You'll have to download Sparkle 1.5b6 from http://sparkle.andymatuschak.org (use "Get Sparkle 1.5 b6" button on the right side.)
Reply all
Reply to author
Forward
0 new messages